Altai Certification Training Configuration Professional Services Altai Technologies Limited

Module Outline AP Default Settings A8 Basic Configurations A8 Advanced Configurations 5GHz Bridge Mode Configuration A8-A2 Bridge Mode Configuration A8-C1 CPE Mode Configuration A8-Ein/A8n Configurations

AP Default Settings A8/A8-Ei/A8-i default IP address 192.168.1.222 255.255.255.0 FW 2.2.3.101 Username: altai Password: wag A2/A2e default IP address 192.168.1.20 FW 1.0.0.26 A8-Ein/A8n default IP address 192.168.1.222 255.255.255.0 FW 1.2.0.621 Username: root Password: superwifi123 C1 management IP address 192.168.99.99 FW 1.0.0.19 Username: altai Password: wag

A8 Basic Configuration

Configuration Case A8 Basic configurations: Regulatory domain: RoW Disable DHCP Client (Static IP Address) IP Address: 10.6.127.185 Subnet mask: 255.255.255.0 Default gateway: 10.6.127.1 Wireless mode: 802.11b/g mode Radio frequency: To be determined by Channel Scan result Transmitting power: 25dBm VAP 0 (Management and normal service VAP) SSID: WiFi_mgt Suppressed SSID: Enabled Maximum Clients: 10 Wireless security: WPA-PSK + AES VAP 1 (For service only VAP) SSID: WiFi_Service Maximum Clients: 256 5 5

Tools>Channel Scan Click to start channel scan All the clients traffic would be interrupted during the channel scan test. 6 6

Tools>Channel Scan Channel Scan Success Click to show Noise Floor 7 7

Tools>Channel Scan Key Considerations: Num of SSID Neighbor SSID Usage Noise level 8 8

Configuration>System Select A8 FCC (US Standard) – 2.4GHz Max EIRP 36dBm ETSI (European Standard) – 2.4GHz Max EIRP 20dBm RoW (Rest of the world) – 2.4GHz Max EIRP 60dBm Click Save to batch the changes 9 9

Configuration>Network Recommend “Static IP” Static IP, subnet mask and default gateway configuration (Default IP address: 192.168.1.222) Click Save to batch the changes 10 10

Configuration>2.4G Wireless AP>General Wireless mode (802.11b Max 11Mbps, 802.11b/g Max 54Mbps, 802.11g Max 54Mbps) Select channel: ETSI/RoW Ch1-13 FCC Ch1-11 11

Configuration>2.4G Wireless AP>Sectors Maximum Tx Power 25dBm Antenna Gain - Cable Loss + Tx Power ≤ Max EIRP 12

Configuration>2.4G Wireless AP>VAP Basic Default value: 256 A8 will not broadcast SSID Set SSID Enabled allows traffic to pass between stations in a VAP. For mgt VAP, recommended enable. For normal service VAP, disable. Enable VAP Normal Service: Allow to access Internet Management: Allow to access the A8 web interface. Only VAP 0 has this configuration. Click Save to batch the changes Remark: VAP 0 usually acts as management VAP so it only allows small number of wireless clients and hidden its SSID. VAP 1 acts as normal service VAP so it sets maximum clients. 13

Inter/Intra-VAP Traffic Control The feature: Traffic among clients of the same SSID/VAP can be blocked Traffic among clients of different SSID/VAP can be blocked The user benefit: Improved network security Better network traffic control Intra-VAP traffic blocked Inter-VAP traffic blocked SSID 2 SSID 1 A8 SSID 2 SSID 1

Configuration>2.4G Wireless AP>VAP Basic Default: Access Can change to “Trunk” Click Save to batch the changes Remark: VAP 0 usually acts as management VAP so it only allows small number of wireless clients and hidden its SSID. VAP 1 acts as normal service VAP so it sets maximum clients. 15

Configuration>2.4G Wireless AP>VAP Security Authentication Open Shared Key WPA WPA-PSK WPA2 WPA2-PSK Cipher Disable WEP AES/TKIP AES Key 4 Keys RADIUS PassPhrase 16

Highly Secure The Altai technology: The user benefit: SSID suppression, inter/intra-VAP traffic blocking Rogue AP detection WPA, WPA2-PSK, 802.1x (PEAP, TLS, TTLS) authentication, MAC address filtering WEP, TKIP and AES encryption Backup RADIUS server support The user benefit: Latest encryption and authentication support Radio channel scanning and auto alarm for rogue AP

Reboot AP Click Reboot AP to apply all changes Click OK Wait for 30s to reload the web page 18

A8 Advanced Configuration

Configuration Case A8 configurations: Similar to basic configuration, except Network Operation Mode: Gateway Local IP Address: 192.168.125.1/24 NAT Mode: Enabled 2.4GHz DHCP Snooping Trusted Port: Disabled Bandwidth Control: Airtime: DL 30%, UL 30% Multicast Data Rate Control QoS and DiffServ Tag: Enabled Congestion Avoidance: FW-RED Access Link Safe Mode: Enabled Ping Host: 10.6.127.1 Ping interval: 30s 20 20

Configuration Case VAP 0 (Management and normal service VAP) QoS Profile: Very High VAP 1 (For normal WiFi service only) QoS Profile: ToS/802.1Q VAP 2 (For surveillance camera, authenticated by RADIUS) SSID: WiFi_camera Maximum Clients: 15 QoS Profile: High Wireless security: WPA + AES Primary RADIUS Server: 10.6.127.120 RADIUS Port: 1812 RADIUS secret: test 21 21

Configuration > Network>General Recommended: FWRED Enable Gateway Mode Configure LAN port IP, subnet mask Configuration > Network>NAT Enable NAT Mode Click Save to batch the changes 22

Congestion Avoidance The feature: The user benefit: A8 can avoid congestion by dropping selected frames in the Tx queue when it is full based on one of the following mechanisms: 1) Tail Drop 2) Random Early Drop (RED) 3) Fair Weighted Random Early Drop (FWRED) (Altai patent pending) The user benefit: Avoid congestion due to a few problem clients Higher average throughput for the majority Tail drop – all last incoming packets will be dropped Tx queue is FULL A8 FWRED – highest airtime usage client packets will be dropped RED – most frequently occurred client packets will be dropped

Configuration > 2.4G Wireless AP>General 2.4GHz (unselected by default) Click Save to batch the changes 24

Configuration > 2.4G Wireless AP>General Ethernet (Trusted by default) 5GHz (Optional) 2.4GHz (Optional) Click Save to batch the changes 25

DHCP Snooping Trusted Port x means untrusted interface By default, Ethernet is trusted port DHCP Server Client3 (DHCP Server) Ethernet 2.4G 5G x A8-1 x A8-2 x x x 2.4G Client4 2.4G 2.4G Suppose A8 is in switch mode, all clients should get IP address from ethernet DHCP server, to avoid getting from client’s DHCP server, need to disable two A8s’ 2.4GHz trusted port and A8-1’s 5GHz trusted port. Client1 Client2 (DHCP Server) 26

Bandwidth Control on Airtime/Throughput The operation: 2 modes of control - Throughput (in kbps) or Airtime (in % of occupancy) Bandwidth limit can be set per VPA/client/uplink/downlink for both modes Airtime control can prevent the low data rate (11b) clients from occupying too much airtime (throughput mode cannot solve this problem) Throughput controlled to 250 Kbps per station Airtime controlled to 5% per station

Configuration > 2.4G Wireless AP>Bandwidth Control Enabled Throughput VAP: Total bandwidth for one SSID Station: Total bandwidth for each wireless client Set value to specify the maximum bandwidth 28

Configuration > 2.4G Wireless AP>Bandwidth Control Enabled Airtime Set airtime value, default setting is 5%. Used to limit the use time of low data rate user. 29

Bandwidth Control Example BEFORE 3000 ms response time There are many low speed free WiFi users dragging down the performance of premium WiFi users Using the airtime bandwidth control feature with VAP set to 15% and Station set to 5%, the congestion problem was totally resolved. CPE client ping time improved from 3000 ms to 50 ms AFTER 50 ms response time

Configuration > 2.4G Wireless AP>General Protection Mode (Auto) When 11b only client exists, protection mode is automatically enabled to use protection rate for either CTS or RTS-CTS packet. Enabled Multicast Traffic Choose Multicast Data Rate. Enabled IGMP Snooping Recommended low multicast data rate and IGMP snooping enabled Click Save to batch the changes 31

Multicast Traffic Filter The feature: A8 can be set to drop all multicast traffic A8 can be set to limit multicast traffic to certain data rate The user benefit: Limit unnecessary multicast traffic Improve bandwidth utilization Multicast packets at high data rate Source Multicast packets can be limited to lower data rate

IGMP Snooping The feature: The user benefit: Multicast traffic from a client in one SSID will only broadcast to the clients within that multicast group of the same SSID Without IGMP snooping, multicast packets will be transmitted to all clients across all SSIDs With IGMP snooping, multicast packets will only be transmitted to the registered clients under the same SSID The user benefit: Reduce multicast storm and unnecessary traffic Improve bandwidth utilization Source Source A8 SSID 1 SSID 3 SSID 1 SSID 3 Multicast packets SSID 2 SSID 2 IGMP: Internet Group Management Protocol

Configuration > Network>Backhaul Link Integrity Enable access link safe mode A8 pings to 10.6.127.1 for every other 30s. If ping request timeout for 3 times, it reboots and enters safe mode with SSID: “SafeMode<MAC address>”. Click Save to batch the changes 34

Highly Resilient The Altai technology: The user benefit: Link Integrity – check link status from client up to the application servers Backhaul Link Self Healing – automatic backhaul failover and recovery Access redundancy – clients are at least covered by 2 or more A8 Access Link Safe Mode – automatic reboot with new SSID forcing client to release Resilient Backhaul Architecture The user benefit: Complete backhaul protection Mission critical proof Improve network stability Saves downtime cost A2 Backhaul link self healing Multiple coverage by A8 A8

Configuration > Network>QoS Enabled QoS and DiffServ Enabling QoS adds traffic priority tag in the packets. DiffServ Tagging is effective after enabling QoS. ToS field of IP packets will be changed based on QoS policy configuration. QoS Profile: Very High, High, Normal, Low, ToS/802.1Q, IP ToS/802.1Q changes the tag basing on the packet type IP changes the tag basing on the port range and protocol Click Save to batch the changes 36

Configuration > 2.4G Wireless AP>VAP Basic Enable VAP2 Set SSID Set 15 clients High QoS Click Save to batch the changes 37

Configuration > 2.4G Wireless AP>VAP Security Select WPA Click Update Select AES Enter RADIUS Server information 38 Click Save to batch the changes

5GHz Bridge Configuration

Bridge Combinations A8-A2 802.11a Mode Maximum Data Rate: 54 Mbps 802.11na HT40 ext ch +1/-1 Maximum Data Rate: 300 Mbps A8-A8 802.11a Turbo + Bursting Mode + Fast Mode Maximum Data Rate: 108 Mbps 40

A8-A2 5GHz Bridge Configuration

Sample Solution Layout A8-A2 Bridge 42 42 42 42

A8 for large outdoor coverage A2 for coverage & capacity enhancement 5GHz Bridge Access Up to 1km LOS 2km A2: 450 m LOS A8 for large outdoor coverage A2 for coverage & capacity enhancement Bridge: a backhaul link at 5GHz signal (802.11a) Example Configurations: A2 setups 5GHz bridge with A8 5GHz MAC address Enable 802.11a Channel 56 Enable AES (Recommended bridge security) A8 setups 5GHz bridge with A2 5GHz MAC address Enable AES All configurations on both sides must be the same, except MAC address 43 43 43 43

Rogue AP Detection

Rogue AP Detection The feature: The user benefit: Neighboring APs’ information is obtained by the channel scan function The scanned neighboring AP list will be validated against the defined legitimate AP list (BSSID with MAC address info, SSID) Rogue AP is declared if the validation with the legitimate AP list fails The user benefit: Reduce security threats to the network Auto alert & reporting with the use of AWMS Useful tool for deployment A8 is scheduled to perform channel scan Rogue AP Check against legitimate AP list in A8 Legitimate AP list Reporting through AWMS or remote access

A8: Status > Overview A8 5GHz MAC address Remark: The backside of AP unit also has 5GHz MAC address 46 46

A2: Configuration > 5G Radio 1. Select 802.11a mode 2. Click Update 3. Select Frequency 4. Type in Bridge Distance 5. A8 5GHz radio MAC address 6. Select AES 7. Type in Key 8. Click Update 47

A8: Configuration>5G Wireless Bridge 1. Select 802.11a mode 2. Click Save 3. Select Frequency 4. Type in Bridge Distance Click Save to batch the changes

A8: Configuration>5G Wireless Bridge>Remote Bridge 5. Type in A2 5GHz radio MAC address and click Add to List A8: Configuration>5G Wireless Bridge>Security 6. Select AES 7. Type in Key Click Save to batch the changes

A8: Status > 5G Wireless Bridge State Up: associated Inactive: disconnected 50

A8: Status > 5G Wireless Bridge Maximum Data Rate 11a mode: 54Mbps 51

A2-A2 5GHz Bridge Configuration

A2 for small area coverage & capacity enhancement 5GHz Bridge A2 for small area coverage & capacity enhancement A2: 450 m LOS A2: 450m LOS Access 2km Bridge: a backhaul link at 5GHz signal (802.11a) Example Configurations: A2 setups 5GHz bridge with A2 5GHz MAC address Enable 802.11na HT40ext ch+1 Channel 36 Enable AES (Recommended bridge security) Enable AES All configurations on both sides must be the same, except MAC address 53 53 53 53

A2: Configuration > 5G Radio 1. Select 11na HT40ext ch + 1 2. Click Update 3. Select Frequency 4. Type in Bridge Distance 5. A2 5GHz radio MAC address 6. Select AES 7. Type in Key 8. Click Update Wireless modes: 802.11a - Max 54Mbps 802.11na HT20 - Max 130Mbps 802.11na HT40ext ch+1 - Max 300Mbps 802.11na HT40ext ch-1 - Max 300Mbps Different channel sets 54

A8-A8 5GHz Bridge Configuration

A8 for large outdoor coverage 5GHz Bridge Up to 1km LOS A8 for large outdoor coverage Access Up to 1km LOS 2km Bridge: a backhaul link at 5GHz signal (802.11a Turbo Mode) Example Configurations: A8 setups 5GHz bridge with A8 5GHz MAC address Enable 802.11a Turbo Mode +Bursting Mode + Fast Mode Channel 56 Enable AES (Recommended bridge security) A8 setups 5GHz bridge with A2 5GHz MAC address Enable AES All configurations on both sides must be the same, except MAC address 56 56 56 56

A8: Configuration>5G Wireless Bridge>General 1. Select Turbo mode 2. Click Save 3. Select Frequency 4. Type in Bridge Distance 5. Enable Bursting and Fast Frame Click Save to batch the changes 57

A8: Configuration>5G Wireless Bridge>Remote Bridge 5. Type in A8 5GHz radio MAC address and click Add to List A8: Configuration>5G Wireless Bridge>Security 6. Select AES 7. Type in Key Click Save to batch the changes 58

C1 CPE Configuration

Configuration Case A8 Configurations: C1 Configurations: VAP1 SSID: A8_CPE Maximum Clients: 256 Wireless security: Open C1 Configurations: CPE Mode: also named station mode VAP 0 Connect to A8_CPE 60

A8 Configurations Set SSID Set VAP Security 61

C1 Configurations Configuration>2.4GHz Radio Enable Station Mode Click Edit to modify VAP config 62

C1 Configurations Configuration>2.4GHz Radio>VAP 0 Enable VAP0 Click Scan to scan available SSID Only connect to a particular AP with the specific MAC. Usefull when SSIDs are the same. Click Edit to set security config, the same with A8 63

C1 Configurations RSSI level Channel Choose one SSID 64

A8:Status>2.4G Wireless AP>Association List C1 is connected to A8 65

A8-Ein/A8n Configurations

Configuration>Network>General A8-Ein: Configuration>Network>General Recommend “Static IP” Static IP, subnet mask and default gateway configuration (Default IP address: 192.168.1.222) Click Submit to batch the changes

Tools>Channel Scan A8-Ein: Tools>Channel Scan Click to start channel scan All the clients traffic would be interrupted during the channel scan test.

Tools>Channel Scan A8-Ein: Tools>Channel Scan Channel Scan Success Noise Floor

Configuration>Wireless> Radio0>General Wireless mode (802.11b, 802.11b/g, 802.11g, 802.11n, 802.11ng) Channel Selection

Configuration>Wireless> Radio0>Superwifi Sector State Range Optimization Auto, 0~800m, 200~1000m, 400~1200m

Configuration>Wireless> Radio0>WLAN Edit SSID

Configuration>Wireless> Radio0>WLAN>WLAN General Will not broadcast SSID Set SSID Enabled allows traffic to pass between stations in a VAP. For mgt VAP, recommended enable. For normal service VAP, disable. Default value: 512 Access Traffic Right: Full Access or Management Only/Disable

Configuration>Wireless> Radio0>WLAN>WLAN Security Authentication Open Shared Key WPA WPA-PSK WPA2 WPA2-PSK WAPI WAPI-PSK Cipher Disable WEP AES/TKIP AES SMS4 Key 4 Keys RADIUS Passphrase AS

Configuration>Wireless> Radio0>WLAN>QoS Enable DSCP to WMM Mapping Different Value is different priority level

Configuration>Wireless> Radio0>WLAN>Bandwidth Control Bandwidth Control for Total WLAN Bandwidth Control for Each Station

Save and Apply Click Submit to apply all changes Click Save & Apply or Unsaved

A8-Ein/A8n & A8-Ein/A8n 5GHz Bridge Configuration

Configuration>Wireless> Radio1>General Enable Radio Radio Mode as AP Wireless Mode and Channel Disable Inter-WLAN Forwarding

Configuration>Wireless> Radio1>WLAN Edit WLAN

WLAN General Configuration Enable WLAN Enable VLAN Pass Through Hide SSID SSID Name for the Bridge

WLAN Security Configuration Authentication Mode as WPA2-PSK Passphrase

Configuration>Wireless> Radio1>General (Remote) Enable Radio Radio Mode as Station Transmit Power

Configuration>Wireless> Radio1>WLAN (Remote) Edit

Configuration>Wireless> Radio1>WLAN>WLAN General (Remote) SSID and Target BSSID

Configuration>Wireless> Radio1>WLAN>WLAN Security (Remote) Authentication Mode and Pass Phrase

Connection status Status>Interface>Radio1>Association List SSID Name Connection Status

A8-Ein/A8n & A2 5GHz Bridge Configuration

Notice When the A8-Ein and A2n make the Bridge, the A2n 5Ghz wireless should be as AP mode, and the A8-Ein 5Ghz wireless should be as Station mode, then it will pass through the VLAN. A8-Ein A2n 5Ghz Wireless Bridge AP Mode Station Mode

Configuration>5G Radio Radio Operational as AP mode Wireless Mode Channel Selection Edit VAP

VAP Configuration State as Up SSID of VAP Hide SSID Disable Intra-VAP Forwarding Enable VLAN Trunk Port Edit Security Configuration

Security Configuration Authentication Mode as WPA2-PSK Passphrase

Configuration>Wireless >Radio>WLAN (Remote) Edit WLAN

5GHz Radio Configuration (Remote) Enable WLAN The SSID is 5GHz radio SSID from the master AP The BSSID is MAC address of the 5GHz radio from the master AP

WLAN Security Configuration (Remote) Authentication mode as WAP2-PSK, Passphrase should match with the master AP

Connection status RSSI Information

Thank You